Samba: Domain controller or not?

Hi

I’ve been asked to help set up some computers at a local youth club that they’ve been given (got roped into it because a family member is involved with running the place), and could do with a little advice on ways to go about it

Basic requirements are likely to be that they sign on with the same username/password on all the machines and then get things like the same personal folders, browser & mail profiles (bookmarked sites, accounts and such) etc

Because the ages of the potential users ranged from 7-18 years old there will need to be a method of limiting what can be accessed by particular groups, as far as samba and this thread go I think it’s only being members of the same group (and getting the relevant permissions) whichever machine they log on with that’s relevant

They expect a pool of around 50 users and given their limited funds don’t really want to spend out on windows disks, nothing they expect the machines to be used for can’t be done with suse (or pretty much any other linux really) so there’s not much likelihood of there being windows clients

My questions really are whether there would be any point to using a samba domain as there won’t be windows clients, and if so what’s likely to be the easiest way to handle the accounts, would the number of users justify the hassles of using ldap for example (I hear it can be a pain to set up)

If it’s not worth using a samba domain what other ways might I do it?

I have wondered if setting up the users home directories so that they’re all on a central machine rather than a local drive would be workable and possible, that would still require setting up all the users on every machine though

Not sure what to do for the best and any thoughts/advice much appreciated

I think you might want to consider what you’re getting into. 50 Users is a very sizable network for someone with no experience, i hightly recommend you collaborate with at least one person who can assist you in architecture and setup. Afterwards, you may be able to maintain it largely by yourself.

For 50 users, I would think you would want to set up network Domain-based security like OpenLDAP (personally, for 50 Users I would feel the $600 or so for a Windows DC would be well worth it but that’s just me). Maybe others could comment, but the little experience I’ve had touching NIS suggests it wouldn’t be sufficient. Another possibility to consider might be Novell Open Enterprise Server, but that likely would cost.

• It’s always a very bad idea for anyone to share the same logon credentials (same User account) because it makes accountability impossible, if someone were to violate your Terms of Use, ethical or general legal use of the machine or somehow causes a malfunction, you won’t be able to identify the person responsible for the behavior.

• You didn’t state the number of machines you want to setup, are there up to 50 machines or all sharing or remoting into only a few machines.

• Once you understand the importance of separate and individual logon credentials, there are a number of different ways to share information which I think addresses why you might have proposed more than one person sharing the same User Account. Samba is one way which supports network CIFS shares similar to Windows shares. If you have enough local disk space on a very small network, you might also consider file replication as an alternative. Samba would also be one easy way to allow files to be shared when Users use a mix of different OS machines. The major alternative to Samba is a Web-based CMS (Content Management System).

A general rule of thumb is to avoid placing home directories on a central machine because of the load it would place on your machine’s network capabilities (expect latencies), although in some scenarios benefits may outweigh drawbacks (eg roaming users). Note that you can engineer hybrid compromises, eg the home folder only contains high use, small files while large files would be placed in a separate network share.

Again, I would highly recommend you contract with someone to assist you in this project.

HTH,
Tony

Hi Tony, thanks for the reply mate

I’m not totally without experience and although it’s fair to say that whilst my knowledge and experience of networks is above average it’s not what I do on a daily basis and I wouldn’t consider it to be extensive or advanced. I’ve put together a few small office networks (windows) and been using OpenSuse here at my own little office for desktop and server applications since version 10.2

One thing I’m not afraid of is googling info on how to do things and getting ‘down and dirty’ in conf files

I did once set a suse machine up as a samba pdc, just for a look really, not with any serious intent, just using the smbpasswd backend and this was a few years and several versions back. I do have a friend/ex-colleague with wider networking experience than me that I can call on but as he works at the other end of the country and isn’t home often he can’t be involved with any hands-on stuff to do with this but will be useful for pooling ideas etc

Too start with there are only going to be four machines including the server, costs are always going to be an issue as they rely on grant funding coupled with some local business sponsorship style donations for their operating budget, so the likelihood of them spending out on brand new machines and windows server OS’s is slim

Physical space is also a factor so I doubt they will ever end up with more than ten machines, perhaps not even that many so there aren’t ever going to be 50 users logged onto the system at any given time, not even close. The only usage of large files is likely to be some video and audio editing for which I’ve already given them a machine running Ubuntu Studio that won’t be part of the network so there won’t be a huge load on the network in that respect

As you mentioned roaming users is an important benefit to using using remote home dirs that I think may well be worth implementing, would samba or nfs be best do you think?

I am thinking of using squid/squidguard for content filtering, squid I’ve used before, squidguard I haven’t and am not sure of it’s capabilities for a different set of filters for different groups but I imagine it can be done

As for remote access it’s likely to be only myself and one other person for administrative purposes

Not sure how I gave the impression of using shared logons but that won’t be happening, every member that wants to use the computers (some won’t) will have their own login credentials and userspace

I’m thinking of trying a samba pdc with an ldap backend on a test network here, check it out with and without remote home directories as well as checking out how well squidguard works with differing ‘group filtering profiles’, see how it goes

AFAIK you can use NIS and NFS to do this. I use this combo at home, and in some networks I manage.
The 10 machine 50 user idea fits quite to one of them ( 12 machines 30 users). Each user, no matter where hesh logs in, always has hesh own desktop, Documents folder, i.e. /home/USERNAME

Done, in short, like this:
Server:
NIS-server - for central user and permission administration
NFS-server - for exporting folders, amongst which “/home”
Client:
NIS-client - so no users on the client machines, only root
NFS-client - to mount the exported folders, amongst which “/home”.
A port is forwarded to the server on a router for ssh (not the default port), so I can login remotely on the server, and from the server to each client.

Advantages of this setup:
transparent
you can configure and maintain it through Yast

When architecting your solution, you will need to separate your security needs from resource needs… eg
Security - Account Management, UAC
Resource - Collaborative needs, Application and file

It sounds to me very much like the majority of your Users are or will be remote, not necessarily in the office.

If that is the case
Consider a web based CMS. It would simplify WLAN security management by making it entirely application level since there would be little need to manage actual machines. Typically you would also deploy integrated collaborative solutions within the CMS so you would be able to administer everything from/on the Server. The solution would implement “Internet friendly” network protocols like HTTP and DNS instead of NetBIOS, etc. If you choose a web based CMS, I doubt you’ll need network authentication like LDAP or NIS although such things are often still an option.

If your 50 Users all will be cycling through your office using your 4 or so machines (laptops don’t usually count since people take them with them), then you might consider LAN type technologies like SAMBA. Note that SAMBA3 is not a WLAN technology, if you want to provide remote access it’s typically done through a VPN (There is a proposed feature in SAMBA4 to support WLAN) Also, I doubt that 4 machines rises to the threshold of deploying network authentication like LDAP or NIS but it becomes more of a consideration.

My 2 cents/farthings/specks of dirt,
Tony

Knurpht the idea of each user having their own desktop, documents etc wherever they log in from is the very thing I’m looking to do though I’ve never looked at or considered NIS so perhaps I should have a read up on it as I don’t really know anything about it

With regards to cms when I hear that term I think of websites rather than configuring servers so I don’t know much about what’s available that could help me here, but there are two I’ve come across in the past which I’ve not looked at in any depth which may be the kind of thing Tony is talking about

Do you mean something like Webmin or ISPConfig Tony?

Is there some other package you maybe have in mind that I can use?

You said you are situating in a youth club. So is kiosk mode an issue?
If so you might have a look at Kiosktool:
Kiosktool - openSUSE
The KDE Extragear - Kiosk Admin Tool

and GCompris for the younger ones:
GCompris - openSUSE

Kiosk admin tool looks like it may become a useful tool in time, still a bit limited as yet though and as far as kiosk goes I found these two pages to be very informative: KDE Developer’s Corner - KDE Kiosk Mode and KDE System Administration/Kiosk/Introduction - KDE TechBase

Went for a read up on GCompris, followed the link given on the page you posted that says ‘Please have a look at the glorious online manual in the GCompris Wiki’ and when I got there found: (There is currently no text in this page)

Every page on the gcompris wiki is basically empty so I’ll chalk that one up as ‘may be something to revisit later’

Thanks for the heads up on those zwenny but kiosk especially is more about locking kde settings and resources rather than ways to set up the underlying system and things like user logins and profiles

Tried a test user on a server, exporting it’s /home over nfs then adding the test user on a client using the exported test home as it’s /home/test folder

Two things I found, one being that I had to mount the nfs export in the client’s fstab with the users option, I keep getting a /home directory is not writable without specifying this

Not keen on all user’s being able to umount /home … shouldn’t there be a way to mount it and not have Yast report it isn’t writable when adding the user without the users option in fstab?

I have found though that after a user has been added the users option can be removed from fstab and the user’s desktop and file/folder access works just fine

I haven’t yet tried adding a user with adduser so I don’t know whether this issue only applies when using Yast to create users

The second thing is that when the nfs share is mounted the owner gets set with the user’s uid on the server rather than by name and for it to work properly the user’s uid on the client needs to match the uid on the server

A thought just occurred to me when I typed that, it might have been the mismatched uids that was preventing me from setting the home folder without users being in the mount string

Also I haven’t implemented NIS client on the client machine yet though I do have the nis server running on the server machine, maybe once I do that the issue will resolve itself

In dire need of beauty sleep now so I’ll play with it some more tomorrow

It works perfectly with nis logins and /home exported as an nfs share which is then mounted as /home on the cient via fstab

We could probably go with that setup except for me being a bit concerned over nis not using encryption for passwords

Guess I’ll spend my weekend playing with ldap!

Can’t do anything with it tonight as I have my wannabe rockstar nephew coming round for a guitar lesson

A CMS is a Content Management System.
Think of it this way…
In the very specific situation (but very common) where you will not ever manage the security and safety of the client machines Users sit down at, then you only need to concern yourself with the management of information resources which generally mean file documents, and oftentimes the applications used to exchange information between your Users like email, IM, groupware like shared bulletin boards, chat, notifications, scheduling, calendaring, and more. You not only manage User access to shared resources but generally can assign private areas for personal file storage, etc.

CMS does all of this on a single application platform (today usually web based) which means you don’t have to deal with stuff like home folders, machine user accounts, integration of User accounts with various apps (eg SAMBA,LDAP), extending LAN technologies to the WLAN (eg SAMBA, NFS, VPN, gateways, firewalls).

Since everything is usually integrated, the User simply logs in once to the CMS and everything “just works” right away.

CMS can be big and “enterprise” like Plone but will range in capability and features like Drupal, PHPnuke, JBoss and plenty more. Just Google “CMS” and you’ll return plenty of options, even sites which have pre-deployed demos you can try before you deploy.

Tony

So yeah something like Webmin or ISPConfig then

I’ve tried both of those as well as things like whm, cpanel, plesk etc for website/vps accounts but to be honest they may be convenient but I’ve not found any of them easier or ‘better’ than using tools the os comes with, especially suse’s yast and they can also be a bit quirky in the way they configure things

Also, using one doesn’t answer the question of what may be the most suitable protocols, services etc to use, they just provide a way of working with them

I’m probably gonna go with NIS coupled with an NFS export for /home (especially given the problem I’m experiencing in this thread Ldap causing boot problems), and use a combination of ssh and nx for any remote admin stuff they may need me to do

Thanks for the input though mate